title:Submitting Opensmtpd Service to Guixrus
date: 2022-12-22 15:00
tags: libreboot retroboot
summary: Hopefully one day soon, you will be able to try my opensmtpd-records code.
---

EDIT 02-24-2023:  Through this whole process, I have used this guide to set up email.
If you are going to try to set up your own email service, do check it out:
<https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/>

I was recently encouraged by the delightfully friendly raghavgururajan to try to
merge my opensmtpd service project into guixrus, which is a small community
actively working to upstream packages and services into guix proper.  I figured,
why not?  Sounds like fun.  The following post will describe my developmental
workflow, which is probably pretty poor&#x2026;

tl;dr

Soonish, I will clean up the code for a proper ~opensmtpd-service-type~ with
~opensmtpd-records~ for guix system. It may take 6 months to get it in a clean
state. Until it is merged, you may find it here:

<https://git.sr.ht/~whereiseveryone/guixrus/commit/255875f7d86e92bb64006a59be26c64430c0c046>

The current documentation is here:

<https://notabug.org/jbranso/linode-guix-system-configuration/src/master/opensmtpd-records-documentation.txt>

My server's config is here:

<https://notabug.org/jbranso/linode-guix-system-configuration/src/master/linode-locke-lamora-current-config.scm>

The current task list is here:

<https://notabug.org/jbranso/linode-guix-system-configuration/src/master/opensmtpd.org>

Added, the guixrus channel to my ~/.config/guix/channels.scm

    cat ~/.config/guix/channels.scm

    (cons* (channel  ;; for firefox-wayland
            (name 'nonguix)
            (url "https://gitlab.com/nonguix/nonguix")
            ;; Enable signature verification:
            (introduction
             (make-channel-introduction
              "897c1a470da759236cc11798f4e0a5f7d4d59fbc"
              (openpgp-fingerprint
               "2A39 3FFF 68F4 EF7A 3D29  12AF 6F51 20A0 22FB B2D5"))))
           (channel  ;; for sway-latest
            (name 'guixrus)
            (url "https://git.sr.ht/~whereiseveryone/guixrus")
            (introduction
             (make-channel-introduction
              "7c67c3a9f299517bfc4ce8235628657898dd26b2"
              (openpgp-fingerprint
               "CD2D 5EAA A98C CB37 DA91  D6B0 5F58 1664 7F8B E551"))))
           %default-channels)

Before I submit the patch, I should make sure that the code actually works. To
do that, I logged into my gnucode.me server tried to set up the opensmtpd
server.

    guix pull --url=https://notabug.org/jbranso/guix/src/newOpensmtpdBranch \
        --branch=newOpensmtpdBranch

    Updating channel 'guix' from Git repository at 'https://notabug.org/jbranso/guix'...
    guix pull: error: Git error: cannot locate remote-tracking branch 'origin/keyring'

    guix pull --url=https://notabug.org/jbranso/guix \
        --commit=8abbb6c442d135ae8e7c1cb0e17525478fafe8f0

    Updating channel 'guix' from Git repository at 'https://notabug.org/jbranso/guix'...
    guix pull: error: Git error: cannot locate remote-tracking branch 'origin/keyring'

Hmm, well my opensmtpd service is NOT using signed commits.  That&rsquo;s probably the
problem.  Hmmm&#x2026;  Well I guess I need to start signing my commits.  Generate an
gpg key.  grrr&#x2026;.

These three pages are seem promising:

<https://moser-isi.ethz.ch/gpg.html>

<https://wiki.debian.org/Keysigning>

<https://risanb.com/code/backup-restore-gpg-key/>

    gpg --full-generate-key

    gpg: directory '/home/joshua/.gnupg/openpgp-revocs.d' created
    h.lgpg: revocation certificate stored as '/home/joshua/.gnupg/openpgp-revocs.d/LOTSOFNUMBERS.rev'

I copied my Revocation-Certificate into my spare usb:

    sudo cp .gnupg/openpgp-revocs.d/LOTSOFNUMBERS.rev /mnt/gnucode.gpg.rev

Let&rsquo;s export my gpg key to the server.

    gpg --auto-key-locate keyserver -a --send-keys 67A42A3CC23F979886F9686C750BCFEF3A579572

    gpg -a --export gnucode

    -----BEGIN PGP PUBLIC KEY BLOCK-----
    
    mQINBGOSU7sBEAC/8renj2OgTHKJfbqz7CRplPQ0su8aasJXTkunx70IhVpTFBS+
    9Bwvjbo7HM2aBYD/NYa6n24J3OXla17uDxFt2i63ojhbl5AVntac3ZOeyn661Y2U
    r9szIRM+edTieWZZvY5G49ZFTH5VJ+jZS2leRLpIqsYCst+Ru61MdUUggBNvPgBm
    q97HAylBqQs0kf7XfctyqKbkChLsvkuD5cR1X8BQL8KAn/KDXrDSwj4hIO+tSdv5
    VmaTC+6/xbdqfq6gpywJMEPkLNUjCArlF+Oz5UqQvLh1lRXWPejzFa0LmXsviqb3
    RmQh+9cNvDVge+kYIRWHhCXY5dTau7ABnYsgxnW3zlBkFNbc+I5Sqiz6LDcuInlA
    QznFw90GL3l0+1WGzeAD5DhNx6hgpOYvFZV7S3OgbOGeOHvF7bFBixB6Pa3oByMn
    euKqol+rOZiUkjcaxo5XUKsglFLgOaxfmZujO7lwoipYXxiyD7jf1+ou1WZ5C3l+
    YCOnia2qWE5DRpR/WDBRLQl3ZrCUtDQW7dKNAuweEgDT5T53k2m3Gqu1Z28SrzIS
    is+SHZcZhv4dx9Cs6sX6me3WzQ3wgoI9DNW5v8XGitaGQFjIRI33Y8MeGjEBMip3
    ZnT6Cl8WJgd0JBXsPQnKw1EO1sh2S5cU5drvHkuCPMA/PaBb8XrNpobSlwARAQAB
    tDNKb3NodWEgQWxsZW4gQnJhbnNvbiAoZ251Y29kZSkgPGpicmFuc29AZGlzbWFp
    bC5kZT6JAk4EEwEIADgWIQRnpCo8wj+XmIb5aGx1C8/vOleVcgUCY5JTuwIbAwUL
    CQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRB1C8/vOleVcgwwEACp4ZwBIM/4Udc9
    ndZvUJeegSP0W7o86v+9ELXfXdX99ZO0iErr6/XTWxov0mw7AaoDJRdETBTkYeU0
    /CDrLcjklW8b7RZe98+Cr0+IB9XSozpqNVhiP7/TogL80lkbu2+Khtk29E/UYupt
    8rihR+2tkDKPaWOufGgi+6ftw8A9P9jlFsV1N1Oxo4rA+gbcXHtxbDiZ1dR2UOAS
    Ge7TJPpIjgSiG+nm6b9BIoAxLpjf5JrwpNm5wvDXic1YP27GC2Il9Ny7TdGyKpn9
    RCZXR1yEMQTVNn4iEiMK6XIcoAFUS1oWAP2JKQ4bCfcxM/VGx31rsGgNL36iW6yj
    zLD9yJYhbvm536CiRb2cTco+lAmwS9/iM4Bdpp/H9fZFPp2CxeB02mOd/P0HkC+2
    Po2KXpEj6Ettjp0xJcAQye75vRvjDMkHvTvugfY4FQg6V6a6N3jxSbfwuFUp426F
    fgfki4Y7OWm47mYa7goI4oDOG2qUdN5YkbhpVA+j2tGGHbbXmUtvj4MES4fnaSkF
    vc6+xMZpFTWcFRt8rVTqS1Vu1w8zfT/VUV+FC/J6hdSxIQJ4dg4WsaD2kzGflZzO
    miTyxMYPvdQ6I7Nshp/bEyfd9F40sXm/kzL6r+qm9+ly2uR5V+bIo9gu6CfkM0ZJ
    DDiIf9wkk+xSb/AGj1YVazQKpKS0wLkCDQRjklO7ARAAzrtyGaOFTtCHlItxxb51
    s0Qt5LZwG3sNUjI9P7n3oZrzI35sbPrWxWCX2MMW0gUIx79dlMzQBt1RXQEKiipr
    RdSrtuclTytxaMtLRP+VtmcRQkGgKb20ipCvFHX4oA7L+3Y8s2RQBsz+wo9h55Dt
    iQRxoONm9biHXBUZ4EJnR4B8z0dp9j+fctTR4ds6OI3jIeKHcd4AALYIpyBnh5ue
    5Iictiv0evBjcogfCttHlg/NK3TVZpq8YYOG8x+8XVrvvJ5WKtmXduZuFIL3+Wmv
    jBv807a4zGLPLpB6OcD7fj/12Eo9n7d9gHZOV200rPguzt9YMIoRGgtSEEpMsvrJ
    5upiFLPULj/14arXePdqZshlU01U0uE6glGJRUt7IVyU+1LbziQ8JqBlVTnRRYrb
    uKDFqzmtd3zhLDPAPLkv7xLtEjYUPcFDmrf33dz22FHUGeOB0G5Ur+e9qTedfmj0
    r5sHaoCspZzDcVR8sKyuUdAnRAGxJs9eIFUq2GkyxZGgfJoU2A9RMxg+YTfFfdQV
    guvvPj6udOF4ugmIW1EnDXza08UyDqOITLIadNu4GqZL407JRIRtYfw48qQgL3Zo
    6lqxC/3n7orkuRU/cKvHArqQt1sP7ZYzAy5N/yoY0/m3o2RV9Li7SkF2m5By8EjH
    RNvQMPsipdvjWf4I+jLaAM0AEQEAAYkCNgQYAQgAIBYhBGekKjzCP5eYhvlobHUL
    z+86V5VyBQJjklO7AhsMAAoJEHULz+86V5Vy6U0QAJtjybCfDAqE5DIcKkiBDbIN
    erk+MTU+uOROuVigDCyvqJUuxtGaJPIRWdBQuHcQxnf6Bv1xoAeDk/7hyL7i5+rz
    9vWZnSZRr4DB6pY8G5jz/HGdML4luEtuOrE5UMN8Bf5PM/9sj/c1QSuMhpAMw5TL
    GoAu+MY/uDCHLb2nzwLIaCPFDTX0q5HgFQA7Do78fdxxPLqPlbg9xeTsAP5P6Egb
    /8NUUa1SM4mfygriyL82nLH9SvwtnEbItovAWE+GH4XkE8xSjvWl6MpCk0+H0Xtr
    WdbxtKqE7BPzs0lN3NOi+mOJABDt5ozPGfVcUsB/nqz00YiF33CQWu0ote1Q1TKn
    NPOCLqFM3F1rG2z7Bf/LP9p6CpmfQGr54XmKpGinYNr8dqRtLEMVERCxGI+BuNhZ
    ppQLuqOlHinKPaBO58LCwLA0uMScbmjgTQrJiXolCGHYXorCx3rcqitvMzbAcswr
    wMeAXMREYKGM84Pf8fGxv+GZZwfQJHQNbOFrOTpnRITDAZvzKBD97yWkXcLGt6B7
    A5iRXOI8sv9CGM3kI78b+MCcgbz8HNGF2RQipGNQZhEgL4ixbhpMaMVUuTo7BrKr
    M3IeyVwUMpUBFbk5OqLsMqPbL2VvL6x1zgg4P0LmGQYoikKiwmPl/OyRQW6btWCG
    1f7+w1RrcKjUANLQNjXm
    =Vl9S
    -----END PGP PUBLIC KEY BLOCK-----

    gpg -a --export gnucode > gnucode.pub
    sudo cp gnucode.pub /mnt/

Now let&rsquo;s backup the gpg key.

      gpg --export-secret-keys --armor gnucode > secret-key-backup.asc
    sudo mv secret-key-backup.asc /mnt/

If I ever need to move that gpg key to another computer, all I have to do is:

    gpg --import /path/to/secret-key-backup.asc

Let&rsquo;s try testing a signed commit.

    git config --global commit.gpgsign true

<https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key>

    gpg --list-secret-keys --keyid-format=long

    # git config --global user.signingkey MYSIGNINGKEY
    git config --global alias.logs "log --show-signature"
    git commit -m "mail.scm: minor sanitization improvements."

Ok well let&rsquo;s try this to see what the error was:

    GIT_TRACE=1 git commit -m "blah" -S

    23:07:37.656401 git.c:460               trace: built-in: git commit -m blah -S
    23:07:37.678825 run-command.c:655       trace: run_command: gpg --status-fd=2 -bsau 750BCFEF3A579572
    error: gpg failed to sign the data
    fatal: failed to write commit object

    gpg --status-fd=2 -bsau 750BCFEF3A579572

As I was running through the above command, I realized that, it is possible that
I did not have pinentry installed:

    guix install pinentry

    git logs

Now I think I will try rebooting and check to see if I can still sign git
commits.

And after I rebooted, I cannot sign commits with emacs&#x2026;

Emacs says &ldquo;hint: Waiting for your editor to close the file&#x2026;&rdquo;
&ldquo;Waiting for Emacs&rdquo;

Well online, I see this as a possible solution

    git config --global core.editor emacs

Well that didn&rsquo;t quite work.  I was able to squash two commits, via emacs, but
only after I had the gpg agent had cached my private key password.  That makes
me think that magit is having a hard time querying my for my password.

Well let me try updating doom emacs.  I doubt that will work, but I&rsquo;ll try it.
That didn&rsquo;t work.  :(

Well I found a possible error here:

<https://github.com/magit/with-editor/issues/69>

<https://emacs.stackexchange.com/questions/74097/magit-cannot-commit-emacsclient-on-path-pop-os>

<https://magit.vc/manual/with-editor/Configuring-With_002dEditor.html>

Then I thought, how about I disable the with-editor elisp package that doom
emacs ships and instead `guix install emacs-with-editor`.  Let&rsquo;s try that.

    cat .doom.d/packages.el | grep with-editor

    (package! with-editor :disable t)

    doom upgrade
    doom sync
    guix install emacs-with-editor

Nope.  That didn&rsquo;t work either.  Hmmm.  I can get emacs to commit the message,
after the gpg agent caches my key&rsquo;s password.

Well let&rsquo;s try running emacs without any configuration:  `emacs -q`.  Nope.  That
also didn&rsquo;t work.  :(

My current theory is that my wayland only session is prohibiting the pinentry
from displaying, which is NOT allowing me to enter in my gpg password.  I shall
try temporarily enabling Xwayland and see if that fixed it.

    cat config | grep xwayland

    # disable xwayland.  Just trying it out
    xwayland enable

Yup!  That fixed it.  With the above, I can now sign my commits with emacs!  But
I would rather keep my wayland only session.  Let&rsquo;s try pinetry-bemenu:

    guix package -i pinentry-bemenu -r pinentry

    cat config | grep xwayland

    # disable xwayland.
    xwayland disable

Well that didn&rsquo;t work.  Let&rsquo;s try pinetry-gnome3.

    guix package -r pinentry-bemenu -i pinentry-gnome3

Nope.  It&rsquo;s X only.  Let&rsquo;s try qt:

    guix package -r pinentry-gnome3 -i pinentry-qt

Nope.  That also seems to be X only.  grr.  Maybe this bemenu thing works, but I
need to configure it properly.

Well let&rsquo;s install pinentry, and temporarily enable xwayland.

    guix package -r pinentry-tty -i pinentry

    cat config | grep xwayland

    # enable xwayland.
    xwayland enable

Well I should probably try eventually to edit `.config/gpg.conf` and tell it to
use pinentry-bemu as the pinentry program.

I think that spending all that time working on getting gpg key signing to work
was probably a big waste of time.  :(   I think instead of keeping my opensmtpd
code in guix-src/gnu/services/mail.scm, I will move it to
guixrus/services/opensmtpd.scm.  Then I can just copy opensmtpd.scm file to my
linode server, and manually load in that code to start my opensmtpd service.

First I will delete the opensmtpd record stuff in gnu/services/mail.scm.  I
don&rsquo;t want myself getting confused where I am storing my developmental code.

Now I will cp my opensmtpd.scm code into my linode service git repo.

    cp opensmtpd.scm ~/prog/gnu/guix/guix-config/linode-guix-system-configuration/guixrus/services/
    ls ~/prog/gnu/guix/guix-config/linode-guix-system-configuration/guixrus/services/opensmtpd.scm
    cat ~/prog/gnu/guix/guix-config/linode-guix-system-configuration/guixrus/services/opensmtpd.scm | tail

    /home/joshua/prog/gnu/guix/guix-config/linode-guix-system-configuration/guixrus/services/opensmtpd.scm
              (service-extension pam-root-service-type
                                 (const %opensmtpd-pam-services))
              (service-extension profile-service-type
                                 (compose list opensmtpd-configuration-package))
              (service-extension shepherd-root-service-type
                                 opensmtpd-shepherd-service)
              (service-extension setuid-program-service-type
                                 opensmtpd-set-gids)))
       (description "Run the OpenSMTPD, a lightweight @acronym{SMTP, Simple Mail
    Transfer Protocol} server.")))

Now I will commit the changes to my linode git repo and push them.

    git add opensmtpd.scm
    git commit -m "copying opensmtpd.scm from guixrus."

    [master 7399550] copying opensmtpd.scm from guixrus.
     1 file changed, 7 insertions(+)
     rename opensmtpd.scm => guixrus/services/opensmtpd.scm (99%)

Hmmm, was that commit signed?  No idea.

Now let&rsquo;s push that commit.

    git push
    
Now let's log into the gnucode service and pull that commit.

    git pull
    cat opensmtpd.scm | tail

    Updating a8d88b9..7399550
    Fast-forward
     opensmtpd.scm => guixrus/services/opensmtpd.scm | 7 +++++++
     1 file changed, 7 insertions(+)
     rename opensmtpd.scm => guixrus/services/opensmtpd.scm (99%)

I am realizing that it will probably be easiest to reconfigure my server with my
opensmtpd records, if my server has the same directory structure as my local
machine. Namely my git repos are in the same directories. So I did some changes
on my server to make sure that my server's directory structure matches my local
one. Now my server&rsquo;s `config.scm` is no longer at
~/linode-guix-system-configuration/linode-locke-lamora-current-config.scm. Now
it is at:

    find . -name '*current-config.scm'

    ./prog/gnu/guix/guix-config/linode-guix-system-configuration/linode-locke-lamora-current-config.scm

I want to make sure that my remote server has a copy of the guixrus source code
with my newest commit committing `services/opensmtpd.scm`.

So, I made a guixrus repo on [notabug.org](https://notabug.org/jbranso/guixrus), then I pulled that repo on my server:

    git clone  https://notabug.org/jbranso/guixrus

    git show HEAD | head

    commit 147a9ce316be2f9f7c9ed25b3e097fd84b8b01eb
    Author: Joshua Branson <jbranso@dismail.de>
    Date:   Thu Dec 22 09:21:19 2022 -0500
    
        services (opensmtpd): add opensmtpd records to enhance opensmtpd-configuration.
    
        Openmstpd-configuration may only be configured by a config-file that
        uses the smtpd.conf syntax.  This patch, enables one to configure
        opensmtpd by using record types.

It would be nice to test the configuration locally, to see if it will work
before I push it to the server.

    guix system vm linode-locke-lamora-current-config.scm

    guix system: error: (cert "/etc/letsencrypt/live/gnucode.me/fullchain.pem") is invalid.
    hint: Try a file.

The above is actually a good sign.  I do not have that certificate locally, but
it is available on the server.  If that is the only error, then let&rsquo;s go ahead
and try to reconfigure the server.

The relevant opensmtpd-service looks like:

    (service opensmtpd-service-type
             (let ([action-receive (opensmtpd-local-delivery
                                    (name "receive")
                                    (method (opensmtpd-maildir
                                             (pathname "/home/%{rcpt.user}/Maildir")
                                             (junk #t)))
                                    (virtual (opensmtpd-table
                                              (name "vusers")
                                              (data '(("joshua@gnucode.me"  . "joshua")
                                                      ("jbranso@gnucode.me" . "joshua")
                                                      ("postmaster@gnucode.me" .  "joshua"))))))]
                   [pki-gnucode (opensmtpd-pki
                                 (domain "smtp.gnucode.me")
                                 (cert "/etc/letsencrypt/live/gnucode.me/fullchain.pem")
                                 (key "/etc/letsencrypt/live/gnucode.me/privkey.pem"))]
                   [filter-dkimsign (opensmtpd-filter
                                     (name "dkimsign")
                                     (exec #t)
                                     (proc (list (file-append opensmtpd-filter-dkimsign "/libexec/opensmtpd/filter-dkimsign")
                                                 " -d gnucode.me -s 2021-09-22 -c relaxed/relaxed -k "
                                                 "/etc/dkim/private.key "
                                                 "user nobody group nogroup")))]
                   [table-creds (opensmtpd-table
                                 (name "creds")
                                 (data
                                  (list
                                   (cons "joshua"
                                         "$6$Ec4m8FgKjT2F/03Y$k66ABdse9TzCX6qaALB3WBL9GC1rmAWJmaoSjFMpbhzat7DOpFqpnOwpbZ34wwsQYIK8RQlqwM1I/v6vsRq86."))))])
               (opensmtpd-configuration
                (interfaces
                 (list
                  ;; this forum help suggests that I listen on 0.0.0.0 and NOT eth0
                  ;; https://serverfault.com/questions/726795/opensmtpd-wont-work-at-reboot
                  ;; this listens for email from the outside world
                  (opensmtpd-interface
                   (interface "eth0")
                   (port 25)
                   (secure-connection "tls")
                   (pki pki-gnucode))
                  ;; this lets local users logged into the system via ssh send email
                  (opensmtpd-interface
                   (interface "lo")
                   (port 25)
                   (secure-connection "tls")
                   (pki pki-gnucode))
                  (opensmtpd-interface
                   (interface "eth0")
                   (port 465)
                   (secure-connection "smtps")
                   (pki pki-gnucode)
                   (auth table-creds)
                   (filters (list filter-dkimsign)))
                  (opensmtpd-interface
                   (interface "eth0")
                   (port 587)
                   (secure-connection "tls-require")
                   (pki pki-gnucode)
                   (auth table-creds)
                   (filters (list filter-dkimsign)))))
                (matches (list
                          (opensmtpd-match
                           (action (opensmtpd-relay
                                    (name "relay")))
                           (options
                            (list
                             (opensmtpd-option
                              (option "for any"))
                             (opensmtpd-option
                              (option "from any"))
                             (opensmtpd-option
                              (option "auth")))))
                          (opensmtpd-match
                           (action action-receive)
                           (options
                            (list
                             (opensmtpd-option
                              (option "from any"))
                             (opensmtpd-option
                              (option "for domain")
                              (data (opensmtpd-table
                                     (name "vdoms")
                                     (data (list "gnucode.me"
                                                 "gnu-hurd.com"))))))))
                          (opensmtpd-match
                           (action action-receive)
                           (options
                            (list
                             (opensmtpd-option
                              (option "for local"))))))))))

I was curious to see how outdated my server is.  It&rsquo;s dated apparently.

    guix system describe
    
    [1mGeneration 118	Aug 14 2022 02:45:18[0m	(current)
      file name: /var/guix/profiles/system-118-link
      canonical file name: /gnu/store/7jkrafkf61bw3fdxlrlzvkrl98ys1icj-system
      label: GNU with Linux-Libre 5.18.16
      bootloader: grub
      root device: /dev/sda
      kernel: /gnu/store/iz6xn1b1dyk6pwaf6dym3jm3vwnh4gz9-linux-libre-5.18.16/bzImage
      channels:
        guix:
          repository URL: https://git.savannah.gnu.org/git/guix.git
          branch: master
          commit: 43decd1f7ea4ebd911199ad10c0ca555d0dffbd6
      configuration file: /gnu/store/rv7rhwn5kd9yxv8kayqlsgxwyhcz55ca-configuration.scm

Let's try reconfiguring my server with the opensmtpd configuration.

    guix pull
    sudo guix system reconfigure linode-locke-lamora-current-config.scm

    In srfi/srfi-1.scm:
       586:29 19 (map1 (#<<service> type: #<service-type mingetty 7f8…> …))
       586:29 18 (map1 (#<<service> type: #<service-type mingetty 7f8…> …))
       586:29 17 (map1 (#<<service> type: #<service-type mingetty 7f8…> …))
       586:29 16 (map1 (#<<service> type: #<service-type mingetty 7f8…> …))
       586:29 15 (map1 (#<<service> type: #<service-type mingetty 7f8…> …))
       586:29 14 (map1 (#<<service> type: #<service-type agetty 7f8c1…> …))
       586:29 13 (map1 (#<<service> type: #<service-type syslog 7f8c1…> …))
       586:29 12 (map1 (#<<service> type: #<service-type console-font…> …))
       586:29 11 (map1 (#<<service> type: #<service-type virtual-term…> …))
       586:17 10 (map1 (#<<service> type: #<service-type opensmtpd 7f…> …))
    In guixrus/services/opensmtpd.scm:
      2567:27  9 (opensmtpd-shepherd-service #<<opensmtpd-configuration>…>)
      2541:19  8 (opensmtpd-configuration->mixed-text-file #<<opensmtpd-…>)
       2496:3  7 (opensmtpd-configuration->string #<<opensmtpd-configura…>)
       2421:9  6 (opensmtpd-configuration-fieldname->string #<<opensmtp…> …)
      2430:10  5 (list-of-records->string (#<<opensmtpd-interface> i…> …) …)
      2434:17  4 (loop (#<<opensmtpd-interface> interface: "eth0" fam…> …))
       1848:5  3 (opensmtpd-interface->string #<<opensmtpd-interface> in…>)
    In unknown file:
               2 (string-append "" "" "" "" "" "tls " #<unspecified> "p…" …)
    In ice-9/boot-9.scm:
      1685:16  1 (raise-exception _ #:continuable? _)
      1685:16  0 (raise-exception _ #:continuable? _)
    
    ice-9/boot-9.scm:1685:16: In procedure raise-exception:
    In procedure string-append: Wrong type (expecting string): #<unspecified>

Ahh, I know what that problem is!  Let&rsquo;s fix that.  So now I have make a local
commit.  Push it to my notabug.org/guixrus, ssh into lamora, run `git pull` on
the guixrus repo, then try to reconfigure.  This seems like a very odd/poor way
to test changes.  By making a commit locally, pushing it, pulling it, and then
wondering if the reconfigure will work.  I should really set up guix deploy.

    sudo guix system reconfigure linode-locke-lamora-current-config.scm

     module-import-compiled  1.0MiB                                         1.6MiB/s 00:01 [##################] 100.0%
    building /gnu/store/mw8x4pbl11a5pdgxqcw2vvczdccpmicf-switch-to-system.scm.drv...
    making '/gnu/store/0v5sbvlx9r151gjlc906lxyhps7xx1h8-system' the current system...
    setting up setuid programs in '/run/setuid-programs'...
    populating /etc from /gnu/store/1n0l349b03h7dclwai9l0kxglb8kwyv0-etc...
    checking syntax of /gnu/store/51hahfmqlkj9jfxa2cqbm6dd05qrzxzd-smtpd.conf
    /gnu/store/51hahfmqlkj9jfxa2cqbm6dd05qrzxzd-smtpd.conf:14: syntax error
    /gnu/store/51hahfmqlkj9jfxa2cqbm6dd05qrzxzd-smtpd.conf:21: no such dispatcher: relay

Ok, so I have a configuration error.  Let&rsquo;s take a look at the generated
configuration file:

-   The first error is this:
    
        cat /gnu/store/51hahfmqlkj9jfxa2cqbm6dd05qrzxzd-smtpd.conf | grep '<"<"'
    
        listen on eth0 filter "dkimsign" smtps port 465 pki smtp.gnucode.me auth <"<"creds">">
        listen on eth0 filter "dkimsign" tls-require port 587 pki smtp.gnucode.me auth <"<"creds">">
    
    It should be <&ldquo;creds&rdquo;>.

-   Another error is this:
    
        cat /gnu/store/51hahfmqlkj9jfxa2cqbm6dd05qrzxzd-smtpd.conf  | grep match
    
        match !for any !from any !auth action "relay"
        match !from any !for domain <"vdoms"> action "receive"
        match !for local action "receive"

These match options should NOT be false. Let's quickly fix those issues
reconfigure again:

    sudo guix system reconfigure linode-locke-lamora-current-config.scm

    checking syntax of /gnu/store/a69a5vn2r94glh58wlfq41ygfl38ikgn-smtpd.conf
    configuration OK

That&rsquo;s a good sign!

Let&rsquo;s reboot and see what happens!

Well when I reboot, smtpd refused to start.  Let&rsquo;s look at the config file.

    cat /gnu/store/a69a5vn2r94glh58wlfq41ygfl38ikgn-smtpd.conf

    filter "dkimsign" proc-exec "/gnu/store/n2f5waxzdzcsdvh0xydhnc174n3kingw-opensmtpd-filter-dkimsign-0.6/libexec/opensmtpd/filter-dkimsign -d gnucode.me -s 2021-09-22 -c relaxed/relaxed -k /etc/dkim/private.key user nobody group nogroup"
    
    mta max-deferred 100
    
    table "creds" { "joshua" = "$6$Ec4m8FgKjT2F/03Y$k66ABdse9TzCX6qaALB3WBL9GC1rmAWJmaoSjFMpbhzat7DOpFqpnOwpbZ34wwsQYIK8RQlqwM1I/v6vsRq86." }
    table "vusers" { "joshua@gnucode.me" = "joshua", "jbranso@gnucode.me" = "joshua", "postmaster@gnucode.me" = "joshua" }
    table "vdoms" { "gnucode.me", "gnu-hurd.com" }
    
    pki smtp.gnucode.me cert "/etc/letsencrypt/live/gnucode.me/fullchain.pem"
    pki smtp.gnucode.me key "/etc/letsencrypt/live/gnucode.me/privkey.pem"
    
    listen on eth0 tls port 25 pki smtp.gnucode.me
    listen on lo tls port 25 pki smtp.gnucode.me
    listen on eth0 filter "dkimsign" smtps port 465 pki smtp.gnucode.me auth <"creds">
    listen on eth0 filter "dkimsign" tls-require port 587 pki smtp.gnucode.me auth <"creds">
    
    action "relay" relay
    
    action "receive" maildir "/home/%{rcpt.user}/Maildir" junk virtual <"vusers">
    
    match for any from any auth action "relay"
    match from any for domain <"vdoms"> action "receive"
    match for local action "receive"
    
It seems to be just fine...hmmm.  What does the error log say?

    cat /var/log/maillog | tail

    Dec 22 10:05:41 localhost smtpd[19325]: warn: lost processor: dkimsign exited abnormally
    Dec 22 10:05:41 localhost smtpd[19328]: dkimsign: Can't open key file (/etc/dkim/private.key): No such file or directory
    Dec 22 10:05:41 localhost smtpd[19330]: warn: invalid envelope a565cee5a763bf31: unknown dispatcher
    Dec 22 10:05:41 localhost smtpd[19325]: Exiting
    Dec 22 11:22:18 localhost smtpd[268]: info: OpenSMTPD 6.8.0p2 starting
    Dec 22 11:22:18 localhost smtpd[269]: warn: lost processor: dkimsign exited abnormally
    Dec 22 11:22:18 localhost smtpd[272]: dkimsign: Can't open key file (/etc/dkim/private.key): No such file or directory
    Dec 22 11:22:18 localhost smtpd[274]: warn: invalid envelope a565cee5a763bf31: unknown dispatcher
    Dec 22 11:22:18 localhost smtpd[269]: Exiting

Ok, well I think I found the problem. haha.  Let&rsquo;s see, ah, looks like that key
is here:

    find . -name '*key'

    /etc/opensmtpd/dkimsign/2021-09-22-rsa1024-gnucode.me.key

Let&rsquo;s commit my current-config locally, push it upstream, pull it from my server
and reconfigure.

    sudo guix system reconfigure linode-locke-lamora-current-config.scm

    checking syntax of /gnu/store/42q90z8n03zi9rx29gwdnms4sdr2g2p9-smtpd.conf
    configuration OK

After I rebooted, smtpd still was not starting.  Let&rsquo;s try to find out why:

    cat /var/log/maillog | tail

    Dec 22 11:38:03 localhost smtpd[498]: warn: invalid envelope a565cee5a763bf31: unknown dispatcher
    Dec 22 11:38:03 localhost smtpd[493]: warn: lost processor: dkimsign exited abnormally
    Dec 22 11:38:03 localhost smtpd[496]: dkimsign: Can't open key file (/etc/opensmtpd/dkimsign/2021-09-22-rsa1024-gnucode.me.key): Permission denied
    Dec 22 11:38:03 localhost smtpd[493]: Exiting
    Dec 22 11:40:02 localhost dovecot: master: Dovecot v2.3.19.1 (9b53102964) starting up for imap (core dumps disabled)
    Dec 22 11:42:41 localhost smtpd[258]: info: OpenSMTPD 6.8.0p2 starting
    Dec 22 11:42:41 localhost smtpd[259]: warn: lost processor: dkimsign exited abnormally
    Dec 22 11:42:41 localhost smtpd[262]: dkimsign: Can't open key file (/etc/opensmtpd/dkimsign/2021-09-22-rsa1024-gnucode.me.key): Permission denied
    Dec 22 11:42:41 localhost smtpd[264]: warn: invalid envelope a565cee5a763bf31: unknown dispatcher
    Dec 22 11:42:41 localhost smtpd[259]: Exiting

Ok, this is just a permissions error.  That&rsquo;s an easy fix!  I changed a
`sudo chown -R smtpd /etc/opensmtpd`.  Then I got this beauty:

    sudo herd start smtpd

    Service smtpd has been started.

Woo hoo!  Now let&rsquo;s try to send an email and see if it works!

I sent an email to gmail, and if you select an email in gmail, you can click on
view original.  It showed me that I did pass dkimsigning!  That&rsquo;s awesome!  And
my email was in my gmail inbox.  That&rsquo;s a really good sign!  Now I am off to
submit a patch to guixrus!

I did get a tip from someone on irc that mentioned that I should verify my
dkimsigning and SPF via https://dkimvalidator.com/ And when I used that tool, I
discovered that my SPF was failing, so I will need to fix that.
